Stay organized with collections
Save and categorize content based on your preferences.
The AO performs encrypt and decrypt operations through the
Google Distributed Cloud (GDC) air-gapped CLI to the KMS through a gRPC client.
Before you begin
Before performing crypto operations, download, install, and configure the
gdcloud CLI to access the Management API server. To do this, follow the
gdcloud CLI overview.
To get the permissions you need to perform cryptographic operations, ask
your Organization IAM Admin to grant you the KMS Developer (kms-developer)
role.
Encrypt data
To encrypt data, use the gdcloud kms keys encrypt command. This command encrypts a
given plaintext file using the AEAD key, and writes it to a named ciphertext
file.
To encrypt data, pass in the key name and the following:
NAMESPACE: the project namespace—for example:
kms-test1.
KEY_NAME: the name of the key used to encrypt the
plaintext—for example: key-1.
PLAINTEXT_PATH: the path to the file that contains
the plaintext to encrypt.
ADDITIONAL_AUTHENTICATED_DATA_FILE: an optional
file that contains additional authenticated data (AAD). AAD is used for
integrity checks and protects your data from a confused deputy
attack. AAD and the plaintext each have a size limit of 64KB.
CIPHERTEXT_PATH: the path to the file that contains
the encrypted plaintext.
After running the command, you see a file you specified in the
--ciphertext-file flag that contains the encrypted contents of the plaintext
file.
Decrypt data
To decrypt data, use the gdcloud kms keys decrypt command. This command decrypts a
given ciphertext file using the AEAD key, and writes it to a named plaintext
file.
To decrypt ciphertext, pass in the key name and the following:
KEY_NAME: the name of the key used to encrypt the
plaintext.
CIPHERTEXT_PATH: the path of the file you want to
decrypt.
ADDITIONAL_AUTHENTICATED_DATA_FILE: an optional
file that contains additional authenticated data (AAD). AAD is used for
integrity checks and protects your data from a confused deputy
attack. AAD and the plaintext each have a size limit of 64KB.
PLAINTEXT_PATH: the path to the file that contains
the decrypted plaintext.
After running the command, you see a file you specified in the
--plaintext-file flag that contains the decrypted data.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe AO (air-gapped operations) utilizes the Google Distributed Cloud (GDC) air-gapped CLI and a gRPC client to perform encryption and decryption operations via the KMS.\u003c/p\u003e\n"],["\u003cp\u003eBefore starting cryptographic operations, users must download, install, and configure the \u003ccode\u003egdcloud\u003c/code\u003e CLI to access the Management API server as detailed in the \u003ccode\u003egdcloud\u003c/code\u003e CLI overview.\u003c/p\u003e\n"],["\u003cp\u003eEncrypting data requires the \u003ccode\u003egdcloud kms keys encrypt\u003c/code\u003e command, where you must specify the key name, plaintext file path, an optional additional authenticated data file path, and a ciphertext file path.\u003c/p\u003e\n"],["\u003cp\u003eDecrypting data requires the \u003ccode\u003egdcloud kms keys decrypt\u003c/code\u003e command, specifying the key name, ciphertext file path, and the path for the decrypted plaintext file, in addition to the optional additional authenticated data file path.\u003c/p\u003e\n"],["\u003cp\u003eTo complete cryptographic operations, users must be granted the KMS Developer (\u003ccode\u003ekms-developer\u003c/code\u003e) role by their Organization IAM Admin.\u003c/p\u003e\n"]]],[],null,["# Encrypt and decrypt data\n\nThe AO performs encrypt and decrypt operations through the\nGoogle Distributed Cloud (GDC) air-gapped CLI to the KMS through a gRPC client.\n\nBefore you begin\n----------------\n\nBefore performing crypto operations, download, install, and configure the\ngdcloud CLI to access the Management API server. To do this, follow the\n[gdcloud CLI overview](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview).\n\nTo get the permissions you need to perform cryptographic operations, ask\nyour Organization IAM Admin to grant you the KMS Developer (`kms-developer`)\nrole.\n\nEncrypt data\n------------\n\nTo encrypt data, use the `gdcloud kms keys encrypt` command. This command encrypts a\ngiven plaintext file using the `AEAD` key, and writes it to a named ciphertext\nfile.\n\n- To encrypt data, pass in the key name and the following:\n\n gdcloud kms keys encrypt namespaces/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/aeadKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --plaintext-file=\u003cvar translate=\"no\"\u003ePLAINTEXT_PATH\u003c/var\u003e \\\n --additional-authenticated-data-file=\u003cvar translate=\"no\"\u003eADDITIONAL_AUTHENTICATED_DATA_FILE\u003c/var\u003e \\\n --ciphertext-file=\u003cvar translate=\"no\"\u003eCIPHERTEXT_PATH\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the project namespace---for example: `kms-test1`.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key used to encrypt the plaintext---for example: `key-1`.\n - \u003cvar translate=\"no\"\u003ePLAINTEXT_PATH\u003c/var\u003e: the path to the file that contains the plaintext to encrypt.\n - \u003cvar translate=\"no\"\u003eADDITIONAL_AUTHENTICATED_DATA_FILE\u003c/var\u003e: an optional file that contains additional authenticated data (AAD). AAD is used for integrity checks and protects your data from a confused deputy attack. AAD and the plaintext each have a size limit of 64KB.\n - \u003cvar translate=\"no\"\u003eCIPHERTEXT_PATH\u003c/var\u003e: the path to the file that contains the encrypted plaintext.\n\n After running the command, you see a file you specified in the\n `--ciphertext-file` flag that contains the encrypted contents of the plaintext\n file.\n\nDecrypt data\n------------\n\nTo decrypt data, use the `gdcloud kms keys decrypt` command. This command decrypts a\ngiven ciphertext file using the `AEAD` key, and writes it to a named plaintext\nfile.\n\n- To decrypt ciphertext, pass in the key name and the following:\n\n gdcloud kms keys decrypt namespaces/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/aeadKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --ciphertext-file=\u003cvar translate=\"no\"\u003eCIPHERTEXT_PATH\u003c/var\u003e \\\n --additional-authenticated-data-file=\u003cvar translate=\"no\"\u003eADDITIONAL_AUTHENTICATED_DATA_FILE\u003c/var\u003e \\\n --plaintext-file=\u003cvar translate=\"no\"\u003ePLAINTEXT_PATH\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the project namespace.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key used to encrypt the plaintext.\n - \u003cvar translate=\"no\"\u003eCIPHERTEXT_PATH\u003c/var\u003e: the path of the file you want to decrypt.\n - \u003cvar translate=\"no\"\u003eADDITIONAL_AUTHENTICATED_DATA_FILE\u003c/var\u003e: an optional file that contains additional authenticated data (AAD). AAD is used for integrity checks and protects your data from a confused deputy attack. AAD and the plaintext each have a size limit of 64KB. **Note**: You must use the same AAD you passed during the encrypt operation for the decrypt operation.\n - \u003cvar translate=\"no\"\u003ePLAINTEXT_PATH\u003c/var\u003e: the path to the file that contains the decrypted plaintext.\n\n After running the command, you see a file you specified in the\n `--plaintext-file` flag that contains the decrypted data."]]
